Sometime ago I released my Tr3Secure
Volatile Data Collection Script which is a dual purpose triage script. The
script can not only be leveraged “to properly preserve and acquire data from
live systems” but it can also help to train people on examining volatile data. I
have completely overhauled the Tr3Secure collection script including collecting
non-volatile data. I wanted to release the updated script to the community but
I encountered a small issue.

At the time my updated script was collecting locked files
using HBGary’s FGET tool. FGET is a handy little tool. It can collect locked files
such as registry hives both locally and remotely. It can natively collect a
collection of files such as the registry hives or it can collect any file or
NTFS artifact specified by file path. The best part about FGET was the ability
to use it in scripts. FGET was freely available that at first was downloadable
from the HBGary website then downloadable from the registered users’ portion of
the HBGary website. Unfortunately, FGET is no longer available for download and
this was my small issue. How could I release a script that depended on a tool
no longer available? I can’t so I set out to find a FGET replacement so I can
have ability to collect locked files and NTFS artifacts while also scripting
with it in a Windows batch file. This
post outlines the items I came across as I searched for my replacement.

Invoke-NinjaCopy

The first item up came from a recommendation by Jon Turner (@z4ns4tsu).Invoke-NinjaCopy
is a powershell script that according to its Github home “copies a file from an
NTFS partitioned volume by reading the raw volume and parsing the NTFS
structures. This bypasses file DACL's, read handle locks, and SACL's”.The clymb3r blog post Using
PowerShell to Copy NTDS.dit / Registry Hives, Bypass SACL’s / DACL’s / File
Locks explains why the author created the script and demonstrates how they
were able to grab the NTDS.dit (aka Active Directory) off a live system. Out of
everything I came across Invoke-NinjaCopy was the only script/tool capable of
grabbing locked files either locally or remotely like FGET can. Towards the top
of my to-do list is to take a closer look at Invoke-NinjaCopy since I think it
could be helpful in incident response activities in addition to pen testing.

The last item may be overkill as a FGET replacement since it
is a complete triage tool. Eric Zimmerman’s OSTriage is still in development
and I was afforded the opportunity to test it. The tool is able to parse
artifacts and presents a range of information. Some of the presented information
includes: P2P, network information (ARP cache and open ports), basic
system information, browser history, browser searches, and USB devices. OSTriage
even has the capability to image RAM. This is a tool to be on the look for.

For those wondering what I ended up deciding to replace FGET
with will have to wait until my next post when I release the new and improved TR3Secure collection script.